-
不受影响的程序版本

SquirrelMail S/MIME Plugin 0.6

-
漏洞讨论

A vulnerability exists in the SquirrelMail S/MIME plug-in that may allow malicious Web mail users to execute system commands remotely. The source of the problem is that user data is passed to the PHP 'exec()' function without sufficient sanitization.

Command execution would occur in the context of the Web server hosting the vulnerable software.

-
漏洞利用

There is no exploit required.

-
解决方案

This issue has been resolved in version 0.6 of the S/MIME plugin.

SuSE has released advisory SUSE-SA:2005:015 reporting in the pending vulnerabilities section that new Squirrelmail packages are available on their ftp server. Please see the referenced advisory for more information.

SUSE has released an advisory SUSE-SR:2005:008 to address various security issues affecting SUSE products. Please see the referenced advisory for more information.